SELinuxPolicy

For checkpoint/restart we introduce a new 'restore' permission to a few SELinux object
classes: process, file, ipc, and msg.

Note that for the most part you can simply not use -k and not need the restore
permissions. However if the application was checkpointed with non-empty
sysvipc message queues, then msg:restore permission will still be needed. (This
will probably change.)

When restarting a process, you can specify the '-k' flag to request the checkpointed
SELinux labels be restored. Doing so requires that the domain in which /bin/restart
is running have the class:restore permission for the checkpointed label.

To do so, you can do one of two things. First, you can compile a policy which
defaults to 'allow' for unknown permissions. See the UNK_PERMS variable in refpolicy/build.conf. Alternatively, you can recompile your SELinux policy to be aware of the restore labels. You'll want to edit refpolicy-$version/policy/flask/access_vectors to add 'restore' to the common ipc, class file, class ipc, and class msg. After recompiling and installing, you'll need to go to /usr/share/selinux/devel/include/support and edit all_perms.spt to add restore to all_file_perms, all_process_perms, all_ipc_perms, and all_msg_perms.

Of course the above should all be done in upstream policy when checkpoint/restart
hits upstream kernel.

You can then compile a small module, such as the one below, which gives unconfined_t
restore permission to itself.